CFPB Makes First Data Security Enforcement against Dwolla
The CFPB has hit online payments provider Dwolla with an enforcement action over what the agency describes as misleading claims the company made about customers’ data security and the risks of using Dwolla’s online system. The action is the CFPB’s first enforcement related to a data security issue, the agency said.
From December 2010 until 2014, Des Moines, Iowa-based Dwolla claimed to protect consumer data it collected—including names and addresses, as well as Social Security numbers and bank account information—from unauthorized access with “safe” and “secure” transactions. On its Website and in other communications with customers, Dwolla said its data security practices exceeded industry standards and were PCI-DSS compliant—and that it encrypted all sensitive personal information. However, Dwolla’s data security “fell far short” of those claims, the CFPB said. Specifically, the agency found that Dwolla “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.” Further, the company did not encrypt consumers’ data, as advertised, and released applications to the public before they were properly tested for security, according to the CFPB.
Under terms of the enforcement action—through which Dwolla does not admit or deny any of the findings of fact or conclusions of law—the CFPB has ordered Dwolla to pay a $100,000 fine, cease misrepresenting its security practices and perform a comprehensive analysis and improvement of its data security. The company also must enact a program of risk assessments and audits and train employees on security policies and procedures.
“With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing,” said CFPB Director Richard Cordray. “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
Kim Phan, of counsel in Ballard Spahr’s Washington, D.C., office acknowledges that the fine amount seems like a low number given that the CFPB penalty amounts tend toward the millions. “Importantly, there are no allegations of actual consumer harm in this case other than the deception—there is no breach being cited as the nexus for this enforcement action.”
The key takeaway: “Data security can no longer be an IT issue, it must be considered a compliance issue,” Phan adds. “The industry must be ready to respond to enhanced CFPB activity in this area. Up until now the CFPB during examinations has treated data security as a check-the-box item, but companies must now be prepared for heightened scrutiny. Having policies and procedures, employee training and monitoring mechanisms in place is typical of the CFPB’s approach toward compliance, but the consent order emphasizes that the CFPB expects board-level involvement in data security as well as a designated individual, such as a chief information security officer, to be in charge of and take responsibility for company data security. Despite the MOU with the FTC, the CFPB is expanding its already robust portfolio into another area of the law, which is arguably already being adequately covered by other federal agencies.”